1. Field of the Invention
The present invention relates to making electronic payments using payment instruments such as credit cards, communications devices such as phones and biometric data such as fingerprints. The present invention further relates to methods for ensuring that payments can be made between the payment instruments and/or the communications devices and that the payments are secure. Electronic payments typically refer to payments for purchases and money transfers but more comprehensively refer to any movement of funds between two parties or between payment instruments.
2. Description of the Related Art
Electronic payment transactions typically require at a minimum three parties: a consumer, a merchant and a credit or money disbursing institution such as a bank, hereinafter called the issuer. The issuer provides the consumer with a payment instrument, usually represented as a physical card with a unique instrument identification number or identification code (hereinafter also called the IIN) to which the consumer's funds or credit line are attached. Generally the IIN is both visibly embossed on the physical payment instrument and also electronically stored on it either across a magnetic stripe (also called a magstripe), as a bar code or in a computer chip. The payment instrument may also be virtual, that is, have no physical equivalent, but will still have an IIN and may require a PIN. The merchant has to be approved beforehand by the issuer to accept its payment instrument which usually requires that the merchant install specialized hardware and/or software and that he be given a unique merchant identification number and that he communicate with the issuer and obtain approval for each payment transaction. Transactions for which the issuer approves payment are credited to the merchant either in real time or after an agreed interval (usually two days). Data for the payment instrument and its consumer owner as well as data for each merchant who accepts the instrument is held by the issuer. For electronic payments conducted offline (i.e., in a physical facility as opposed to the Internet or similar network), the consumer has to physically present the payment instrument to the merchant who “reads” the IIN and other identifying data from it and communicates that data along with the payment amount and his merchant identifier to the issuer. Reading the instrument requires that the physical payment instrument be in contact with or close to the merchant's Point-of-Sale device (POS). The issuer on receiving data from the merchant confirms the validity of the consumer's payment instrument, debits him, credits the merchant with funds for the payment transaction, and sends a message to the merchant confirming whether the payment transaction was approved or denied. The process of reading the consumer's payment instrument and communicating it to the issuer can be done manually by the merchant, but is slow, and insecure. For manual processing of a credit card payment, the merchant can read the IIN (i.e., the credit card number) off the consumer's credit card, call the issuer over the phone, provide the credit card number as well as the payment amount for which approval is requested and receive approval over the phone. The issuer will then manually update its records for that payment instrument and credit the merchant. More commonly, however, information that uniquely identifies the payment instrument, that is, the instrument identification number and possibly other transaction data such as the consumer's identity, is read electronically by a Point-Of-Sale device, hereinafter called a POS device, and communicated electronically to the issuer. The issuer confirms that funds are available for the payment instrument, debits (or credits) the Instrument, credits (or debits) the merchant, and then sends a transaction approval or denial message back to the merchant through the POS device.
A similar process is followed for payments online (i.e., the Internet or similar network). The consumer connects to the merchant's web site and enters information for his payment instrument. The merchant retrieves the payment instrument identification number, consumer information and other required transaction data which it then transmits to the issuer in order to get payment approval.
Six key problems arise from these modes of electronic payment:
a) Offline, the consumer has to be at, or physically close to the merchant for his payment instrument to be read. It would be preferable to be able to perform a payment transaction using a communications instrument such as a phone or cellular phone that permits automated, secure payments to any merchant who can be reached by wireless or via the phone network. Phone payments, like long-range wireless payments, make it unnecessary for the merchant to have physical access or close proximity to the consumer's payment instrument to read information from it. This is called a “contact” read meaning that the payment instrument is physically present and read directly by the POS device. The distances over which a phone payment can be performed are much larger than the relatively short distances attainable with the protocols (for example, blue tooth, infra-red and short wave transmission protocols) used for transmitting the IIN (and the PIN when applicable) of the payment instrument to the POS device. In fact, the use of such protocols to read the IIN of a payment instrument are considered “contact” not “wireless” reads because of their short operating distances, and the POS devices that use such protocols are not herein defined as special Point-Of-Sale devices.
In the present invention, phone payments have the transaction characteristics of a payment made by a physically present payment instrument, namely, the payment transaction is immediately approved by the issuer and the consumer's funds or credit lines immediately debited (or credited); processing is secure and automated and takes about the same time as for a physically read payment instrument; processing time is much faster than for a manually processed transaction (described earlier); the phone payments work with any phone or cellular phone and do not depend on the phone carrier; the issuer does not have to contract with any additional parties in order to accept payments: This requires a prior arrangement with the phone carrier, which is not required for the present invention.
b) Merchants who wish to accept phone payments require a special Point-of-Sale device (SPOS) that accepts phone payments, but merchants who already accept an issuer's payment instrument offline would already have a POS device, and would need an additional investment in a SPOS device. A method is needed that would permit merchants to accept phone payments using their existing POS devices; While new merchants would likely purchase new SPOS devices to perform both “contact” and phone payment transactions, most existing merchants will opt to use their existing POS devices to accept phone payments.
c) Online, the consumer has no way of knowing if the merchant's web site—the equivalent of an offline physical merchant location—where his payment instrument information is being entered actually belongs to the supposed merchant. It is common for fraudsters to mimic a merchant's site in order to harvest a payment instrument's data and its consumer information for later fraudulent use. This activity called “Phishing” is the primary reason why payment instrument fraud is about 11 times higher online than it is offline. This is particularly telling for payment instruments (such as debit cards) with no form of consumer authentication. The consumer enters at the merchant's Web site or physical location the instrument identification number, (the IIN) for the payment instrument and his PIN to complete a payment. These PIN-requiring Instruments when used for payments offline are reasonably secure since the IIN is read directly off the instrument by the POS device. So if the instrument is stolen the thief is unlikely to know the PIN, and if the PIN is stolen the thief must also have physical possession of the payment instrument in order to use it. Online however the PIN and IIN are entered in tandem so both can be stolen at once. Since the PIN and IIN combination is all that is required to authorize payment, the likelihood of fraud with such payment instruments is much, much higher online than it is offline. A method is needed to identify fraudsters, who pose as real merchants in order to steal the IIN and PIN of a consumer's payment instrument, and reduce risk from payment transactions online.
d) If a payment instrument is stolen, there is no way of preventing its use or determining that the thief is not the actual owner unless the real consumer-owner reports it lost. Furthermore each consumer must physically carry the payment instrument in order to make payments offline. Using biometric data in addition to or as alternative to a physical payment instrument solves both problems. When biometric data is required in addition to the payment instrument itself, (for example, making a payment using a credit card and a fingerprint), it increases electronic payment security since if the instrument is stolen it still cannot be used. When biometric data is used as an alternative to the payment instrument to perform a payment transaction, it frees the consumer from the necessity of always carrying a payment instrument since he can use his ever-present biometric data, such as a retinal scan, to make a payment. This is quite secure as biometric data is very difficult to duplicate.
e) Several payment instruments (such as gift cards) are not readily convertible to cash nor can they be paid into the consumer's bank account or transferred to other payment instruments or communications devices. Ideally, payment instruments should allow funds on them to be drawn as cash at brick and mortar locations or from an Automatic Teller Machine attached to an electronic funds transfer network, and should enable transfer of funds to other payment instruments, communications devices and bank accounts. It should also be possible to “load” or attach funds from a payment instrument to a communications device following which the device can be used to make payments. The present invention includes description of methods for loading or attaching cash to a phone either from an existing payment instrument such as a stored-value card or bank account or directly by making an offline cash payment.
f) A payment instrument that does not use a PIN (i.e., a non-PIN payment instrument) offers much less security online than one that requires a PIN. The latter is safer because theft of the payment instrument also requires theft of the PIN (This is why loss of an ATM card, a PIN instrument, is less troubling than loss of a credit card, a non-PIN instrument). A method is therefore required that would enable a consumer to select a PIN and require its use for transactions even when making payment with a non-PIN payment instrument. A payment instrument that requires a PIN should offer a method to generate a PIN that is usable One-Time and which expires after a short time interval.
In summary, the problems enumerated above are all solved by the present invention.